Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
31323334353637383940
1-13
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 1 Introduction
Client Posture Assessment Overview
Client Posture Assessment Overview
Cisco NAC Appliance compliance policies reduce the threat of computer viruses, worms, and other
malicious code on your network. Cisco NAC Appliance is a powerful tool that enables you to enforce
network access requirements, detect security threats and vulnerabilities on clients, and distribute
patches, antivirus and anti-spyware software. It lets you block access or quarantine users who do not
comply with your security requirements, thereby stopping viruses and worms at the edge of the network,
before they can do harm.
Cisco NAC Appliance evaluates a client system when a user tries to access the network. Almost all
aspects of Cisco NAC Appliance are configured and applied by user role and operating system. This
allows you to customize Cisco NAC Appliance as appropriate for the types of users and devices that will
be accessing your network. Cisco NAC Appliance provides three different methods for finding
vulnerabilities on client systems and allowing users to fix vulnerabilities or install required packages:
Cisco NAC Appliance Agent only (Cisco NAC Agent or Cisco NAC Web Agent)
Network scanning only
Agent with network scanning
Summary Steps for Configuring Client Posture Assessment
The general summary of steps to configure client posture assessment in Cisco NAC Appliance is as
follows:
Step 1 Download Updates.
Retrieve general updates for the Agent(s) and other deployment elements. See Retrieving Cisco NAC
Appliance Updates, page 9-12.
Step 2 Configure Agent-based access or network scanning per user role and OS in the General Setup tab.
Require use of the Agent for a role, enable network scanning web pages for web login users, and block
or quarantine users with vulnerabilities. See Client Login Overview, page 1-6.
Step 3 Configure the client posture assessment-related user roles with session timeout and traffic policies
(In-Band). Traffic policies for the quarantine role allow access to the User Agreement Page and web
resources for quarantined users who failed network scanning. Traffic policies for the Agent Temporary
role allow access to the resources from which the user can download required software packages. See
Configure Policies for Agent Temporary and Quarantine Roles, page 8-19.
Step 4 Configure Agent-based posture assessment, network scanning, or both.
If configuring Agent Login. Require use of the Agent for the user role in the General Setup >
Agent Login tab. Plan and define your requirements per user role. Configure AV Rules or create
custom rules from checks. Map AV Rules to an AV Definition Update requirement, and/or map
custom rules to a custom requirement (File Distribution/Link Distribution/Local Check). Map
requirements to each user role. See Configuring Agent-Based Posture Assessment, page 9-39.
If configuring network scanning. Load Nessus plugins to the Clean Access Manager repository.
To enable network scanning, select the Nessus plugins to participate in scanning, then configure
scan result vulnerabilities for the user roles and operating systems. Customize the User Agreement
page. See Network Scanning Implementation Steps, page 12-3. Note that the results of network
scanning may vary due to the prevalence of personal firewalls which block any network scanning
from taking place.